July 22, 2024

Erosion of the Secret Ballot

Voting technology has changed greatly in recent years, leading to problems with accuracy and auditability. These are important, but another trend has gotten less attention: the gradual erosion of the secret ballot.

It’s useful to distinguish two separate conceptions of the secret ballot. Let’s define weak secrecy to mean that the voter has the option of keeping his ballot secret, and strong secrecy to mean that the voter is forced to keep his ballot secret. To put it another way, weak secrecy means the ballot is secret if the voter cooperates in maintaining its secrecy; strong secrecy means the ballot is secret even if the voter wants to reveal it.

The difference is important. No system can stop a voter from telling somebody how he voted. But strong secrecy prevents the voter from proving how he voted, whereas weak secrecy does not rule out such a proof. Strong secrecy therefore deters vote buying and coercion, by stopping a vote buyer from confirming that he is getting what he wants – a voter can take the payment, or pretend to knuckle under to the coercion, while still voting however he likes. With weak secrecy, the buyer or coercer can demand proof.

In theory, our electoral system is supposed to provide strong secrecy, as a corrective to an unfortunate history of vote buying and coercion. But in practice, our system provides only weak secrecy.

The main culprit is voting by mail. A mail-in absentee ballot is only weakly secret, the voter can mark and mail the ballot in front of a third party, or the voter can just give the blank ballot to the third party to be filled out. Any voter who wants to reveal his vote can request an absentee ballot. (Some states allow absentee voting only for specific reasons, but in practice people who are willing to sell their votes will also be willing to lie about their justification for absentee voting.)

Strong secrecy seems to require the voter to cast his ballot in a private booth, which can only be guaranteed at an officially run polling place.

The trend toward voting by mail is just one of the forces eroding the secret ballot. Some e-voting technologies fail to provide even weak secrecy, for example by recording ballots in the order they were cast, thereby allowing officials or pollwatchers who record the order of voters’ appearance (as happens in many places) to connect each recorded vote to a voter.

Worse yet, even if a complex voting technology does protect secrecy, this may do little good if voters aren’t confident that the system really protects them. If everybody “knows” that the party boss can tell who votes the wrong way, the value of secrecy will be lost no matter what the technology does. For this reason, the trend toward complex black-box technologies may neutralize the benefits of secrecy.

If secrecy is being eroded, we can respond by trying to restore it, or we can decide instead to give up on secrecy or fall back to weak secrecy. Merely pretending to enforce strong secrecy looks like a recipe for bad policy.

(Thanks to Alex Halderman and Harlan Yu for helpful conversations on this topic.)


  1. In the UK it is much harder to film your vote without election officials spotting you doing it, because the two steps (1) indicating your preference on the ballot; and (2) finalizing your vote; are separate. You indicate your preference by marking the ballot paper, and you do so in a private voting booth. Filming this step without anyone seeing you would be straightforward. But you finalize your vote in public by depositing the (folded) ballot paper in the ballot box, which takes place in public, and under the scrutiny of an election official.

  2. Whenever I have voted on an electronic machine, at sign-in I’ve been given a little slip of paper with a 4-digit number on it as an “Access Code”. How do I know that this isn’t used to match my actual vote details with the registration information that i used to sign in with and get the access code? The votes could be recorded by name in a database, for all I know. There is no technical reason against it.

    This is part of the larger problem that electronic voting is not *publicly verifiable* as to integrity *or* anonymity. No clever design that would assure these values in theory can be adequate: it cannot be verified in person by non-experts, and eyewitness monitoring of the whole process by non-technical independent observers is the only thing that can provide to the general population a rational basis for confidence in the elections.

  3. Ned Ulbricht says

    You put the rolls of ballots and the stacks of envelope in the booths.


    This can lead to a simple DoS attack against that voting booth. You want to limit the number of ballots that a voter can consume to a reasonable number—say five—and if they spoil more than that , then require them to get assistance. Alternatively, you could place the ballots in a stack in an openly-observed area, but then the problem becomes encouraging voters to take more than one.

  4. Ok Neo: Kidnap OR tail them and ‘persuade’ them not to vote.


  5. If they know the target’s polling station, they could just camp out there (or have their henchmen do so) to report on him (or beat him up) if he shows up there.

  6. Let polling station votes override postal votes by the same person. That way, even if the postal vote is sent by the buyer, they cannot be sure the voter hasn’t/won’t vote differently in person unless they kidnap them.

  7. Ed,

    I’m not implying that any coersion is taking place, nor any overt concealment, in those poll numbers.

    However, the apparent fact is that one way or another tens of millions of married people seem to be unaware that their spouses disagree on candidates. This alone is an argument for a secret ballot: the situation itself is made possible by a secret ballot.

    Also, as you point out in your article, you don’t need coersion for people to amend their votes: the perception that others will see my ballot provides a chilling effect, even if nobody ever threatens me, even if I never expect anyone to threaten me.

    I envision a perfectly normal pro-Alice household, where one family member defects from Alice to Bob, but wouldn’t feel comfortable doing this if the others would find out. You have the potential for arguments, and the general tenor of a pro-Alice household, where every morning the radio is tuned to an AM talk radio station where some guy ridicules Bob-voters as traitors and idiots.

    I think that aside from coersion, we have the basic effect of social mores: we behave according to certain rules when we believe other people are watching. I have friends and family of widely disparate political views, who get along by not bringing up the subject. Removing the secret ballot property is a way of forcing the subject of personal preferences into the open, and hence subjecting it to the forces of peer pressure etc.

  8. Xcott,

    The poll results don’t necessarily show that wives are concealing their votes from their husbands. If a couple never discussed how they voted in a particular race, then a survey like this is essentially a test of whether the husband can guess or predict the wife’s vote. If a husband tends to overpredict how often his wife will vote the same way, this is interesting, but it isn’t necessarily evidence of coercion or deception.

  9. Charles suggests a strong secrecy mechanism for use in voting booths. Voting booths already provide strong secrecy (if you’re not allowed to bring people into the booth with you, don’t use a camera inside the booth, etc). The problem is with schemes where you vote at home instead of in a booth.

    The problem with the disabled voters’ ballots looking different is solved by having them vote on a machine that prints out a paper ballot just like everyone else’s. That ballot is deposited in the mix along with the rest. Non-disabled voters would have the option of using the same machines, so the ballots coming from the machines would not all have come from disabled voters, but hand-marked ballots should also be accepted.

  10. A very timely post.

    We need to consider whether strong secrecy is actually a more important societal value than transparency, auditability, and ease of use. There are so many other ways that votes can be influenced, that outright buying may no longer be one of the top three concerns.

    If I have my history straight, before the adoption of the “Australian” secret ballot, in many American jurisdictions, votes were a matter of public record: You wote your vote in the poll book and signed it. Obviously, this was open to many abuses, and I would not want to go all the way back. But I might settle for weak secrecy if that were the price for being sure my vote was counted the way I cast it.

  11. “Presumably there are clever cryptographic ways to do this work — to make it clear which ballots are no longer valid in the presence of other ballots without revealing which voter invalidated which ballot.”

    No need for cryptography. If all your concerned about is making vote-buying unattractive, you need only distribute ballots in a “toilet paper roll”-style and enveloppes in a “atm deposit”-style. You put the rolls of ballots and the stacks of envelope in the booths. Then you equip the booths with paper shredders. Voters may take as many ballots as they wish, but they may only put one sealed envelope containing a single well filled ballot. Anything else will be discarded during count.

    Obviously, this doesn’t solve the original problem of mail-in ballots or electronic votes. I just thought it was a cute solution to the cryptography solution. Toilet paper rolls was the answer…

  12. I’ve posted this before – it’s an interesting chart showing California’s experience with voting by mail. It reports the percentage of ballots cast by mail from 1962 to 2006:


    The percentage has increased over this time from 3% to 47% as of the last election. Pretty dramatic.

  13. Another failure of secrecy is in election primaries, you have to reveal your party preference. Particularly if you are a member of a third party, you really stand out in some locales. Everyone’s like, here comes the Libertarian. We were wondering when you were going to show up. Not much privacy there. In fact in some areas just being a member of one of the two major parties makes you pretty conspicuous. It’s too bad that you have to accept this revelation of your unpopular views in order to vote with your party.

  14. Ned Ulbricht says

    All of these ballot cancellation schemes seem to suffer from the difficulty of demonstrating a failure of election integrity to an outside observer—especially in a close election.

    In Sarasota, in Florida’s 13th Congressional District Race, the ES&S machines reported an undervote in about 1 out of every 7 ballots cast. In some precincts, the undervote was more than 1 out of every 4 ballots—almost 1 out of every 3. This was an election failure. Nevertheless, note the strong political pressure urging everyone to ignore the gross indicators.

    With a ballot cancellation scheme, what happens when a relatively small, but significant number of voters claim an unprovable replacement of their vote? Or, how do you assure that that doesn’t happen?

  15. Grant Gould says

    Observable ballots aren’t going away: Whether absentee or hand-marked or what-have-you, it’s precisely the most recordable ballots that are gaining. So I don’t think the answer here is to make ballots less observable — that’s just fighting the tide.

    Rather, the way to provide strong secrecy is through ballot cancellation mechanisms. It should be possible to vote any number of times, through different means, and still have only a predictable one of those votes (the last one?) count. Presumably there are clever cryptographic ways to do this work — to make it clear which ballots are no longer valid in the presence of other ballots without revealing which voter invalidated which ballot.

  16. Strong secrecy is already questionable now that digital cameras and camera phones exist, payment could be exchanged by showing a picture of the filled out ballot/voting screen.

    One solution is to design an electoral system that is difficult to confirm photographically.

    For example, in my local district, the ballot machines are old switch/lever machines. You set the switches to your candidates, and pull the big lever to simultaneously (a) record the vote, (b) reset the switches, and (c) open the curtain. If I tried to film this process on a camera phone I’d be holding the camera as the curtain opened. This at least impedes covert filming.

  17. Anthony Scian says

    Strong secrecy is already questionable now that digital cameras and camera phones exist, payment could be exchanged by showing a picture of the filled out ballot/voting screen. Of course, this isn’t a perfect proof of their vote since a ballot could be spoiled and redone after the picture was taken, but as long as it is sufficient in the illegal world of vote purchasing, no cryptographic or social constructs can prevent it totally.

  18. David Jefferson says

    This is an important comment that too often gets missed, and I am really glad to see you bring it up. Over the last few years we have been trading vote secrecy for just about every other voting system virtue, and we are at the point where there is very little strong vote secrecy left.

    Strong secrecy has been eroded in ways besides those you point out. For example, if 500 votes are cast in a precinct on paper ballots, and all are properly randomized in the same ballot box, then at the end of the day someone who wants to figure out how you voted can only say that your ballot is one of the 500 in the box. But if there are four voting machines and the 500 votes in the precinct are spread evenly across them, and an observer see which voting machine you used, then he now knows that yours is one of the 125 ballots stored in that machine, a 4-fold decrease in your privacy simply because there are four “ballot boxes” instead of one. This may not sound like much of a privacy threat, but if you put that together with other known idiosyncratic facts about you (e.g. you are a Green party member, or your spouse, whom very few people would vote for, is running for the water board) it is often enough of an edge to be able to single out your ballot from the smaller 125-ballot pool, and not in a larger pool.

    The most extreme irony has to do with voting by the blnd or otherwise disabled. A major reason for HAVA and the move toward electronic voting was to provide the means for the disabled to vote in private and unassisted. However, as things have evolved, in many districts around the country (such as mine, Contra Costa County, CA) optical scan systems are provided for the majority of voters, but fully electronic voting machines (or other machines, such as Automark, that produce distinguishable ballots) are made available primarily for the disabled. At the end of the day, there may be only a handful of votes cast on the machines used by the disabled. This means that someone trying to determine how a disabled person voted can trivially narrow it down to a choice of one out of that handful. The net effect is that the privacy for disable voters is vastly lower than for the majority of voters, and one of the major justifications for HAVA and the expenditure of billions of dollars on elecronic voting machines is almost completely undermined.

  19. Also, to emphasize that this is a widespread problem:

    There was a poll conducted in 2003 that said some 75% of married men *think* their wives vote as they do, whilst only 50% of married women agreed.

    If you believe those numbers enough to extrapolate, then tens of millions of married women are voting differently and keeping that fact to themselves. That’s a lot of people who rely on secret ballots.

    I have recently argued with some vote-by-mail advocates, who claim that coersion is a small phenomenon. But this is not overt coersion: if I don’t feel comfortable defecting when people can see my ballot, and I decide not to, it is not under any overt threat.

    Another important matter is opt-in vs opt-out privacy. A common argument for vote-by-mail is that those who need secrecy can fill their ballots privately and deposit them at the election office. However, a family member who opts for this privacy while the rest of the family vote together is going to raise suspicion. Opt-in privacy is impossible, if the opting-in leaks information.

    In contrast, absentee ballots are a form of opt-out privacy, provided they are not sufficiently widespread.

  20. Overall, the postal voting system is no more prone to fraud than other electoral systems.

    I know because Tony Blair said so.


    This was after a judge had ordered new elections, overturning those won by Blair’s party in Birmingham, saying the level of fraud “would disgrace a banana republic”.


    Just to emphasize this isn’t just an academic issue.